Primers
Linux 101 Command Line Cheat Sheet
Tab-completion:
Folks who are new to the Unix/Linux command line often attempt to type everything by hand. This may work well if you type quickly and accurately. Most of us are much better off using tab completion.
Note that Windows PowerShell also supports tab completion, but it handles ambiguity differently. See the PowerShell cheat sheet for more information.
Type the following, and then press the key:
Then press <TAB>
.
Note that it autocompletes to /etc/passwd.
Now try tabbing with ambiguity:
Then press <TAB> <TAB>
.
Note that it offers two choices: Documents/ Downloads/.
Now add a "w" and press <TAB>
:
Press <TAB>
. It autocompletes to ~/Downloads/.
cat
Display a file:
Concatenate (cat) /etc/issue and /etc/hostname, create /home/student/issue-and-hostname.txt:
cd
Change Directory (cd) to the /tmp directory:
Change to the home directory. The following commands are equivalent for the "student" user: "~" means home directory (for example: /home/student):
Change to the parent directory. For example: if you are in /tmp/subdirectory/, this will change your working directory to /tmp/:
echo
Print (echo) the string "Cylon":
Create or overwrite the file example.txt, containing the string "Cylon":
Append the string "Galactica" to the file example.txt:
ls
List the files in the current directory (equivalent to the cmd.exe "dir" command):
List the files in the current directory, long output (-l), all files including "hidden" files that begin with a "." (-a):
List the files in the current directory, long output (-l), all files (-a), sort by time (-t):
List the files in the current directory, long output (-l), all files (-a), reverse (-r) sort by time (-t):
networking
Show network interface configuration:
Show network interface configuration using "ip":
Restart networking:
passwd
Change your password:
ping
ping a host forever (until CTRL-C is pressed), see if it is up (and unfiltered):
ping a host 3 times, see if it is up (and unfiltered):
pwd
Print Working Directory (pwd), show the current directory:
sudo
Run a command as root (password is "Security511):
Open a root bash shell (password is "Security511):
Linux Command Line Cheat Sheet
awk
Print the length of each line of a file (/etc/passwd in this case), followed by the line itself:
Print the 2nd field from a file using the string 'Mozilla/' as a delimiter:
Print the last colon delimited field:
Print the 2nd-to-last colon delimited field:
checksums
Generate the MD5 checksum of a file:
Generate the SHA1 checksum of a file. The three following commands are equivalent:
Generate the SHA-256 checksum of a file:
Generate the SHA-512 checksum of a file:
cut
Cut the 6th field from a file, using the space as a delimiter:
Cut the 2nd and 3rd field from a file, use the comma as a delimiter:
Cut beginning at the 7th field, to end of line, using the space as a delimiter:
Cut the 6th field, using the double-quote (") as a delimiter, and escaping it to treat it as a literal character:
Cut the beginning at the 11th character, to end of line:
file
Determine the file type, using the file's magic bytes:
grep
Search for lines containing the string "bash", case sensitive:
Search for lines containing the string "bash", case insensitive:
Search for lines that do not contain the string "bash", case insensitive:
Search for lines containing the string "root", case sensitive, plus print the next 5 lines:
head
Print the first 10 lines of a file:
ngrep
Search /pcaps/blackhole.pcap for the string "This program cannot be run in DOS mode":
sed
grep for lines containing "Mozilla", then change "Mozilla" to "MosaicKilla":
grep for lines containing "Mozilla", then delete all characters up to and including "Mozilla":
grep for lines containing "Mozilla", then delete all characters that precede "Mozilla":
sort
The following examples will run strings on a file, search for user-agent (ignore case), and use various sort options
Simple alphabetic sort (may include duplicates):
Sort and unique lines. The two following sets of commands are equivalent:
Get a numeric count of each unique entry:
Get a numeric count of each unique entry, perform a numeric sort of that count:
Sort and unique lines, print the length of each unique line followed by the line itself, perform a reverse numeric sort of that count:
Sort on the the second comma separated field:
tshark
Open /pcaps/zeus-gameover-loader.pcap and apply the display filter http.request.method:
Sort TCP conversations by bytes transferred:
xxd
xxd creates a hexdump, or converts a hexdump into binary. A lot of malware hex-encodes web traffic or malicious payloads (such as DOS executables) in order to avoid signature matching. Useful hex patterns to look for are 4d5a90 (the magic bytes for a DOS executable: "MZ<90>"), and "DOS mode" (444f53206d6f6465, see commands below).
xxd cannot natively handle percent-encoded hex, such as "%63%67%69%2D%62%69%6E", but can if the percent signs are removed (see below).
Convert the string "DOS mode" to hex, grouped in sets of 4 hex characters (default):
Convert the string "DOS mode" to hex, ungrouped:
Convert the hex string "444f53206d6f6465" to binary:
Use sed to remove the percent signs from the percent-encoded hex string "%63%67%69%2D%62%69%6E", then translate to binary:
Last updated